From owner-freebsd-pf@FreeBSD.ORG Wed May 7 21:01:27 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E70CF106564A for ; Wed, 7 May 2008 21:01:27 +0000 (UTC) (envelope-from valentin.bud@gmail.com) Received: from gv-out-0910.google.com (gv-out-0910.google.com [216.239.58.184]) by mx1.freebsd.org (Postfix) with ESMTP id 6E7E08FC2D for ; Wed, 7 May 2008 21:01:27 +0000 (UTC) (envelope-from valentin.bud@gmail.com) Received: by gv-out-0910.google.com with SMTP id n8so102627gve.39 for ; Wed, 07 May 2008 14:01:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; bh=qGyMFE5Xvh8Ga4tfzMV+OfP1fA2tktqzDHmB0OzhxcI=; b=WPQrxYISJCzzMZZPcVPQpySG+2JTaDF3A5Kw4kjN+EYNgVzrSGlkdERAr52yJuna2/1WRYrkDNr+KQNxtCmJvTF6DQ/qwMGnWB6y4YhNb5C+WChMolWXqlrmyRFRt2AmYHKhlr11aUfZIKh3Ly3XRVqShz3wx9EemiaMMkBa/ew= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=oRUxPWlF3+l5vor1slCX1XuZQv+KQAImfla4tPHgLMXQdx5OnFlbubOfpg8KnOWQ3T9Tcm8/r/XqU050LtZ3gbBXM0orwYk+ANkOcGioi1DXV3C7WcrcGhz+bZAun6MMRXWIE2w4OZkqhhkSTUhQtIyCIT+JZfcmLLdiR+LvqA4= Received: by 10.78.134.7 with SMTP id h7mr710186hud.94.1210194085059; Wed, 07 May 2008 14:01:25 -0700 (PDT) Received: by 10.78.162.8 with HTTP; Wed, 7 May 2008 14:01:24 -0700 (PDT) Message-ID: <139b44430805071401h664fe840r541afa063b7fe0ca@mail.gmail.com> Date: Thu, 8 May 2008 00:01:24 +0300 From: "Valentin Bud" To: "Kevin K" In-Reply-To: <006c01c8b084$e1d82670$a5887350$@com> MIME-Version: 1.0 References: <004f01c8b068$89c89350$9d59b9f0$@com> <005101c8b06b$5f0743c0$1d15cb40$@com> <008b01c8b081$c74692e0$55d3b8a0$@com> <482215F4.1080806@quis.cx> <00a401c8b084$87da9540$978fbfc0$@com> <006c01c8b084$e1d82670$a5887350$@com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: UDP weirdness X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2008 21:01:28 -0000 from pf faq --- http://www.openbsd.org/faq/pf/filter.html#pass quote: " One will sometimes hear it said that, "One can not create state with UDP as UDP is a stateless protocol!" While it is true that a UDP communication session does not have any concept of state (an explicit start and stop of communications), this does not have any impact on PF's ability to create state for a UDP session. In the case of protocols without "start" and "end" packets, PF simply keeps track of how long it has been since a matching packet has gone through. If the timeout is reached, the state is cleared. The timeout values can be set in the optionssection of the pf.conf file." On Wed, May 7, 2008 at 11:56 PM, Kevin K wrote: > You cannot track state of stateless protocols such as UDP. > > > > > -----Original Message----- > > From: Ansar Mohammed [mailto:ansarm@gmail.com] > > Sent: Wednesday, May 07, 2008 4:54 PM > > To: 'Jille' > > Cc: 'Kevin K'; freebsd-pf@freebsd.org > > Subject: RE: UDP weirdness > > > > But I thought pf would be tracking state? > > Isnt that the whole point of statefull firewalls? > > > > > > > > > -----Original Message----- > > > From: Jille [mailto:jille@quis.cx] > > > Sent: May 7, 2008 4:50 PM > > > To: Ansar Mohammed > > > Cc: 'Kevin K'; freebsd-pf@freebsd.org > > > Subject: Re: UDP weirdness > > > > > > > > > > > > Ansar Mohammed schreef: > > > > Ok, so adding the line as you suggested worked. > > > > Thanks Kevin. > > > > > > > > But why do I need to have both entries in for > > > > > > > > pass in proto udp from any to any port 53 > > > > pass out proto udp from any to any port 53 > > > > > > > > what makes UDP so special? > > > UDP is stateless, > > > With TCP you've got an connection (identified by: local host:port and > > > remote host:port) > > > With UDP, well, you just trow the packages over the line, and hope > > the > > > is (still) someone on the other end. > > > > > > So the is (almost) no way to detect whether packets are responses to > > > eachother > > > > > > -- Jille > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Kind Regards, Valentin Bud www.syk.ro www.spreadbsd.org/aff/86/1 www.spreadbsd.org/aff/86/2 valentin [dot] bud [at] gmail [dot] com valentin [dot] bud [at] dep [dot] upt [dot] ro